High level encryption provides a higher level of security and finer control over security features. The minimum level of security that you can set is to allow any changes except extracting pages.

Once you set encryption on a document, it cannot be processed in other ways unless the password is available to the processing software. You can also change or remove encryption in Acrobat.

Owner and user passwords

All levels of security allow you to set passwords for the document:

User password: controls who may view a document.

Owner password (required): controls who may make changes to permissions and passwords securing a document.

You must set an Owner password to apply encryption. Do not use the same password for both User and Owner. If the same password is used for both, only the User password will be set.

Different versions of Acrobat use different terminology to refer to the same concepts. You’ll see more of this in High-level encryption password nomenclature as described in the following table for various versions of Adobe Acrobat:

Type

Acrobat X, XI & DC

User

Document Open

Owner

Change Permissions

Encryption Permissions

Acrobat allows you to set various permissions to limit access to the information in the document. Adobe changes the use of permissions when they moved from 40-bit key lengths to 128-bit key lengths. The sections below detail the different options and permissions based on using 40-bit or 128/256 bit key lengths.

The following is an example of the security options in Acrobat X, XI & DC:

The first four permissions can be used in any combination, except you can’t use -noprint and -nohighres together. Choose one or the other. The last four must be used in specific combinations that Acrobat accepts.

-encrypt — Encrypt output file (optional)

Specifies applying encryption to the output file using the RC4 stream cypher. This option is the same as -rc4.

-keylength <int> — Encryption level (optional)

-ownerpass <password> — New owner password (required)

Specifies a new Owner password to apply encryption. An Owner password restricts you from altering the security settings. You are not prompted for a password to open the document, only if you try to change the security settings. Passwords are case sensitive and are required when applying encryption.

Choose passwords carefully. They should not be able to be guessed easily but at the same time should not be too difficult for you to remember. If you forget a password, there is no way to recover it from the document. Therefore, it is a good idea to note passwords in another secure location.

-userpass <password> — Set user password (optional)

Specifies a User password for the document. Setting a User password prevents a document from being opened unless the correct password is supplied. Passwords are case sensitive.

Below is the Document Open Password dialog box.

When someone tries to open the document in Acrobat they will be asked for the password.

User password is optional. If you do not specify a User password, anyone can open the document.

-remove — Remove all encryption from the PDF document

If a PDF file already has encryption set and you wish to change the settings or remove encryption (APCrypt/SecurSign only), you need to supply the owner password in order to make changes to the file.

Document Permissions

-noprint — Do not allow printing (optional)

Specifies that the document cannot be printed. When the document is opened, the print icon on the toolbar and the Print option under the file menu will be grayed out.

At the 128-bit and 256-bit encryption level there is also an option to allow low resolution printing only. See the section High-level encryption for more detail.

-nomodify — Do not allow modifying the document (optional)

Specifies that the document cannot be modified. You will not be able to modify text or pages in the document when this option is used. You can fill in form fields, or add notes or other annotations.

With -nomodify, the following tools are grayed out and cannot be used when the document is opened in Acrobat:

Crop tool

Movie tool

Link tool

Article tool

Form tool

Digital Signature tool

Text can be selected for copying but cannot be cut, pasted or cleared.

-nocopy — Do not allow copying text or graphics (optional)

Specifies text and graphics cannot be copied.

With -nocopy, the following tools are grayed out and cannot be used when the document is opened in Acrobat:

Text Select tool

Touch-Up Text tool

Table/Formatted Text Select tool

-nonotes — Do not allow adding or changing notes or form fields (optional)

Specifies that annotations cannot be added or changed in the document. Annotations include notes, highlighted text, form fields and pencil marks. Annotations can be in text, graphic or audio format, or even attached external files.

With -nonotes, the following tools are grayed out and cannot be used when the document is opened in Acrobat:

Notes tool

Pencil tool

Highlight Text tool

Form tool

Digital Signature tool

Free Text tool

Sound Attachment tool

Stamp tool

File Attachment

Square tool

Circle tool

Line tool

-noaccess — Do not allow accessibility (optional)

Specifies content accessibility is not allowed. Content accessibility provides the vision and motion-challenged community with the tools and resources to make digital information more accessible. To learn more about content accessibility consult the Acrobat Help guide within Acrobat.

-nohighres — Do not allow high resolution printing (optional)

-nofill — Do not allow filling form fields or signing fields

Specifies that no changes can be made to form fields or digital signature fields. This setting effectively prevents a filled-in form from being changed.

-noassembly — Do not allow document assembly

Specifies that no new pages can be added or removed from the PDF document. Also prevents rotating pages in the document. Effectively prevents pages being removed from the PDF document to be used elsewhere.

Permissions Allowed with 40-bit Encyption

The table below shows how the software application security options correspond to Acrobat’s security restrictions. The “Changes Allowed” column below lists the features still available after the document is secured.

Option

Restrictions Set
(Not Allowed)

Changes Allowed

-nocopy

Content Copying or Extraction
Content Accessibility

-noprint

Printing

-nomodify
-nonotes

Changing the Document
Document Assembly
Authoring Comments and Form Fields
Form Field Fill-in or Signing

The table below shows security options vs. restrictions set with high level encryption. These combinations are discussed below.

Option

Restrictions Set
(Not Allowed)

-noaccess

Content Accessibility

-nocopy

Content Copying or Extraction

-noprint

Printing

-nohighres

Only Low Resolution Printing is allowed

-nomodify
-nonotes
-nofill
-noassembly

Changing the Document
Authoring Comments and Form Fields
Form Field Fill-in or Signing
Document Assembly

-nomodify
-nonotes
-nofill

Changing the Document
Authoring Comments and Form Fields
Form Field Fill-in or Signing

-nomodify
-nonotes
-noassembly

Changing the Document
Authoring Comments and Form Fields
Document Assembly

-nomodify
-noassembly

Changing the Document
Document Assembly

none

Allow no changes with -nomodify -noassembly -nonotes -nofill

Turning off all changes means: do not allow document modification (-nomodify), do not allow document assembly (-noassembly), do not allow the adding or changing of notes or form fields (-nonotes) and do not allow the fill-in or signing of form fields (-nofill). These options must all be used together for this setting to be made.

These options specify: do not allow document modification (-nomodify), do not allow the adding or changing of notes or form fields (-nonotes) and do not allow the fill-in or signing of form fields (-nofill).

Allow filling in form fields, and signing with -nomodify -noassembly -nonotes

This setting only allows form field fill-in or signing.

These options specify: do not allow document modification (-nomodify), do not allow document assembly (-noassembly), and do not allow the adding or changing of notes or form fields (-nonotes).

Allow commenting, filling in form fields, and signing with -nomodify -noassembly

This setting allows the adding or changing of notes or form fields and the fill-in or signing of form fields.

These options specify: do not allow document modification (-nomodify), and do not allow document assembly (-noassembly).

Allow any except extracting pages with no options

If you don’t use any Changes Allowed options, Acrobat will allow any changes except extracting pages.

Verifying Security Features

In the example shown below, both a User password and an Owner password are set, only low resolution printing is allowed, changing the document, content copying and extraction, authoring comments and form fields, and form field fill-in or signing are not allowed, content accessibility and document assembly are allowed and encryption is 128-bit.